12293 Event Log error source SAM (Duplicate SID deleted)

I am having an issue I haven't seen before and can't find information on. I have a two DC network that was fine until we moved it to a different location and changed IP's on the network.

The first weekend we had it up at the new location we got errors similar to the ones below and ended up losing about 6 objects in AD due to the situation. It disapeered after that and didn't come back until this week when we joined a few new computers to the domain. One of them aparently grabbed the same SID as an account that has existed since day one on the domain.

Anyway, all I can find is the following article about it which tells how to check for more duplicates, which there weren't the last time it happend and aren't now. It doesn't tell you how to check for and fix the problem. It mentions that it can happen if the roles are seized, or if one of the master's is down for awhile, but to my knowledge this hasn't happened.

If anyone has any information other than the above article I would appreciate it if you could forward it to me via a reply to this post before I lose an account I can't recover.

Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 12293
Date: 7/20/2006
Time: 4:18:20 PM
User: S-1-5-21-4106901455-2021588547-2731152627-1611
Computer: NTWAPP
Description:
There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CONFERENCEROOM\0ADEL:913f77ba-4d49-4f42-a96b-6633eca5f692,CN=Deleted
Objects,DC=nextechwireless,DC=internal. All duplicate accounts have been deleted. Check the
event log for additional duplicates.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 12293
Date: 7/20/2006
Time: 4:18:20 PM
User: S-1-5-21-4106901455-2021588547-2731152627-1611
Computer: NTWAPP
Description:
There are two or more objects that have the same SID attribute in the SAM database. The

Distinguished Name of the account is CN=Jeff

Kisner\0ADEL:f0b72e97-cbb9-4121-b47c-506c1ba69d14,CN=Deleted

Objects,DC=nextechwireless,DC=internal. All duplicate accounts have been deleted. Check the

well the article does describe how to cheeck and delete the duplicate sid using ntdsutil which is in the support tools, i have however seen instances of duplicate sid when we cloned the winxp clients as well as some servers, however it gave errors but did not delete and accounts, we resolved it using a sysinternal tool called newsid. this utility would generate a random sid for the computer account when run on the client computer, it requires a reboot after newsid is run.

We do indeed use cloned workstations in this environment but not servers. We also run sysprep on the clones that effectively changes the SID of the machine before it's introduced into the network. The other thing against that possibility is that this particular laptop that caused the issue isn't a clone because it was the first model of it's type. We used it to make an image but the machine itself was setup from scratch.

Thanks,

Ashley

0

Featured Post

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!